def test_parse_scope_default(self):
u = LDAPUrl("ldap:///??")
self.assertNone(
u.scope) # on opposite to RFC4516 s3 for referral chasing
u = LDAPUrl("ldap:///???")
self.assertNone(
u.scope) # on opposite to RFC4516 s3 for referral chasing
def test_parse_schemes(self):
u = LDAPUrl("ldap://")
self.assertEquals(u.urlscheme, "ldap")
u = LDAPUrl("ldapi://")
self.assertEquals(u.urlscheme, "ldapi")
u = LDAPUrl("ldaps://")
self.assertEquals(u.urlscheme, "ldaps")
def test_parse_empty_dn(self):
u = LDAPUrl("ldap://")
self.assertEquals(u.dn, "")
u = LDAPUrl("ldap:///")
self.assertEquals(u.dn, "")
u = LDAPUrl("ldap:///?")
self.assertEquals(u.dn, "")
def _createConnectionString(self, server_info):
""" Convert a server info mapping into a connection string
"""
protocol = server_info['protocol']
if protocol == 'ldapi':
hostport = server_info['host']
else:
hostport = '%s:%s' % (server_info['host'], server_info['port'])
ldap_url = LDAPUrl(urlscheme=protocol, hostport=hostport)
return ldap_url.initializeUrl()
def _createConnectionString(self, server_info):
""" Convert a server info mapping into a connection string
"""
protocol = server_info["protocol"]
if protocol == "ldapi":
hostport = server_info["host"]
else:
hostport = "%s:%s" % (server_info["host"], server_info["port"])
ldap_url = LDAPUrl(urlscheme=protocol, hostport=hostport)
return ldap_url.initializeUrl()
def test_parse_extensions(self):
u = LDAPUrl("ldap:///????")
self.assertNone(u.extensions)
self.assertNone(u.who)
u = LDAPUrl("ldap:///????bindname=cn=root")
self.assertEquals(len(u.extensions), 1)
self.assertEquals(u.who, "cn=root")
u = LDAPUrl("ldap:///????!bindname=cn=root")
self.assertEquals(len(u.extensions), 1)
self.assertEquals(u.who, "cn=root")
u = LDAPUrl("ldap:///????bindname=%3f,X-BINDPW=%2c")
self.assertEquals(len(u.extensions), 2)
self.assertEquals(u.who, "?")
self.assertEquals(u.cred, ",")
def test_isLDAPUrl(self):
for ldap_url, expected in self.is_ldap_url_tests.items():
result = ldapurl.isLDAPUrl(ldap_url)
self.assertEqual(
result, expected,
'isLDAPUrl("%s") returns %d instead of %d.' % (
ldap_url,
result,
expected,
))
if expected:
LDAPUrl(ldapUrl=ldap_url)
else:
with self.assertRaises(ValueError):
LDAPUrl(ldapUrl=ldap_url)
def test_bad_urls(self):
for bad in (
"",
"ldap:",
"ldap:/",
":///",
"://",
"///",
"//",
"/",
#"ldap:///?????", # extension can't start with '?'
"LDAP://",
"invalid://",
"ldap:///??invalid",
#XXX-- the following should raise exceptions!
#"ldap://:389/", # [host [COLON port]]
#"ldap://a:/", # [host [COLON port]]
#"ldap://%%%/", # invalid URL encoding
#"ldap:///?,", # attrdesc *(COMMA attrdesc)
#"ldap:///?a,", # attrdesc *(COMMA attrdesc)
#"ldap:///?,a", # attrdesc *(COMMA attrdesc)
#"ldap:///?a,,b", # attrdesc *(COMMA attrdesc)
#"ldap://%00/", # RFC4516 2.1
#"ldap:///%00", # RFC4516 2.1
#"ldap:///?%00", # RFC4516 2.1
#"ldap:///??%00", # RFC4516 2.1
#"ldap:///????0=0", # extype must start with Alpha
#"ldap:///????a_b=0", # extype contains only [-a-zA-Z0-9]
#"ldap:///????!!a=0", # only one exclamation allowed
):
try:
LDAPUrl(bad)
self.fail("should have raised ValueError: %r" % bad)
except ValueError:
pass
def _handle_referral(self, exception):
# Following referral
e = exception.args[0]
info = e.get('info')
ldap_url = info[info.find('ldap'):]
if isLDAPUrl(ldap_url):
conn_str = LDAPUrl(ldap_url).initializeUrl()
lo_ref = ldap.initialize(conn_str)
if self.ca_certfile:
lo_ref.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_certfile)
if self.start_tls == 1:
try:
lo_ref.start_tls_s()
except:
univention.debug.debug(univention.debug.LDAP,
univention.debug.WARN,
'Could not start TLS')
elif self.start_tls == 2:
lo_ref.start_tls_s()
lo_ref.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
return lo_ref
else:
raise ldap.CONNECT_ERROR, 'Bad referral "%s"' % str(e)
def _handle_referral(self, exception):
univention.debug.debug(univention.debug.LDAP, univention.debug.INFO, 'Following LDAP referral')
exc = exception.args[0]
info = exc.get('info')
ldap_url = info[info.find('ldap'):]
if isLDAPUrl(ldap_url):
conn_str = LDAPUrl(ldap_url).initializeUrl()
lo_ref = ldap.ldapobject.ReconnectLDAPObject(conn_str, trace_stack_limit=None)
if self.ca_certfile:
lo_ref.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_certfile)
if self.start_tls == 1:
try:
lo_ref.start_tls_s()
except:
univention.debug.debug(univention.debug.LDAP, univention.debug.WARN, 'Could not start TLS')
elif self.start_tls == 2:
lo_ref.start_tls_s()
lo_ref.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
return lo_ref
else:
raise ldap.CONNECT_ERROR('Bad referral "%s"' % (exc,))
def test_ldapurl(self):
for ldap_url_str, test_ldap_url_obj in self.parse_ldap_url_tests:
ldap_url_obj = LDAPUrl(ldapUrl=ldap_url_str)
self.assertEqual(
ldap_url_obj, test_ldap_url_obj,
'Attributes of LDAPUrl({}) are:\n{}\ninstead of:\n{}'.format(
repr(ldap_url_str),
repr(ldap_url_obj),
repr(test_ldap_url_obj),
))
unparsed_ldap_url_str = test_ldap_url_obj.unparse()
unparsed_ldap_url_obj = LDAPUrl(ldapUrl=unparsed_ldap_url_str)
self.assertEqual(
unparsed_ldap_url_obj, test_ldap_url_obj,
'Attributes of LDAPUrl({}) are:\n{}\ninstead of:\n{}'.format(
repr(unparsed_ldap_url_str),
repr(unparsed_ldap_url_obj),
repr(test_ldap_url_obj),
))
def extract_referrals(e):
"""Extract the referral LDAP URL from a
ldap.PARTIAL_RESULTS exception object"""
if e.args[0].has_key('info'):
info, ldap_url_info = [
x.strip() for x in e.args[0]['info'].split('\n', 1)
]
else:
raise ValueError, "Referral exception object does not have info field"
ldap_urls = [LDAPUrl(l) for l in ldap_url_info.split('\n')]
matched = e.args[0].get('matched', None)
return (matched, ldap_urls)
def test_parse_dn(self):
u = LDAPUrl("ldap:///")
self.assertEquals(u.dn, "")
u = LDAPUrl("ldap:///dn=foo")
self.assertEquals(u.dn, "dn=foo")
u = LDAPUrl("ldap:///dn=foo%2cdc=bar")
self.assertEquals(u.dn, "dn=foo,dc=bar")
u = LDAPUrl("ldap:///dn=foo%20bar")
self.assertEquals(u.dn, "dn=foo bar")
u = LDAPUrl("ldap:///dn=foo%2fbar")
self.assertEquals(u.dn, "dn=foo/bar")
u = LDAPUrl("ldap:///dn=foo%2fbar?")
self.assertEquals(u.dn, "dn=foo/bar")
u = LDAPUrl("ldap:///dn=foo%3f?")
self.assertEquals(u.dn, "dn=foo?")
u = LDAPUrl("ldap:///dn=foo%3f")
self.assertEquals(u.dn, "dn=foo?")
u = LDAPUrl("ldap:///dn=str%c3%b6der.com")
self.assertEquals(u.dn, "dn=str\xc3\xb6der.com")
def test_parse_scope(self):
u = LDAPUrl("ldap:///??sub")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_SUBTREE)
u = LDAPUrl("ldap:///??sub?")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_SUBTREE)
u = LDAPUrl("ldap:///??base")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_BASE)
u = LDAPUrl("ldap:///??base?")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_BASE)
u = LDAPUrl("ldap:///??one")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_ONELEVEL)
u = LDAPUrl("ldap:///??one?")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_ONELEVEL)
u = LDAPUrl("ldap:///??subordinates")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_SUBORDINATES)
u = LDAPUrl("ldap:///??subordinates?")
self.assertEqual(u.scope, ldapurl.LDAP_SCOPE_SUBORDINATES)
def test_parse_attrs(self):
u = LDAPUrl("ldap:///?")
self.assertEquals(u.attrs, None)
u = LDAPUrl("ldap:///??")
self.assertEquals(u.attrs, None)
u = LDAPUrl("ldap:///?*?")
self.assertEquals(u.attrs, ['*'])
u = LDAPUrl("ldap:///?*,*?")
self.assertEquals(u.attrs, ['*', '*'])
u = LDAPUrl("ldap:///?a")
self.assertEquals(u.attrs, ['a'])
u = LDAPUrl("ldap:///?%61")
self.assertEquals(u.attrs, ['a'])
u = LDAPUrl("ldap:///?a,b")
self.assertEquals(u.attrs, ['a', 'b'])
u = LDAPUrl("ldap:///?a%3fb")
self.assertEquals(u.attrs, ['a?b'])
def test_parse_hostport(self):
u = LDAPUrl("ldap://a")
self.assertEquals(u.hostport, "a")
u = LDAPUrl("ldap://a.b")
self.assertEquals(u.hostport, "a.b")
u = LDAPUrl("ldap://a.")
self.assertEquals(u.hostport, "a.")
u = LDAPUrl("ldap://%61%62:%32/")
self.assertEquals(u.hostport, "ab:2")
u = LDAPUrl("ldap://[::1]/")
self.assertEquals(u.hostport, "[::1]")
u = LDAPUrl("ldap://[::1]")
self.assertEquals(u.hostport, "[::1]")
u = LDAPUrl("ldap://[::1]:123/")
self.assertEquals(u.hostport, "[::1]:123")
u = LDAPUrl("ldap://[::1]:123")
self.assertEquals(u.hostport, "[::1]:123")
def connect(self):
"""Connect to the LDAP server provided by the configuration.
@raise ldap.LDAPError if the connection cannot be established
"""
# set security options through the configuration
# we connect on a first listed, first tried basis
for url in self.configuration.urls:
try:
self.configuration.tls_settings(url)
self.ldap_connection = ldap.initialize(url)
self.ldap_url = LDAPUrl(ldapUrl=url)
break
except ldap.LDAPError:
self.log.raiseException("Failed to connect to the LDAP server at %s" % (url,))
def getoldcfgdsinfo(args):
"""Use the old style sroot/shared/config/dbswitch.conf to get the info"""
dbswitch = open("%s/shared/config/dbswitch.conf" % args['sroot'], 'r')
try:
matcher = re.compile(r'^directory\s+default\s+')
for line in dbswitch:
m = matcher.match(line)
if m:
url = LDAPUrl(line[m.end():])
ary = url.hostport.split(":")
if len(ary) < 2:
ary.append(389)
else:
ary[1] = int(ary[1])
ary.append(url.dn)
return ary
finally:
dbswitch.close()
def test_parse_scope(self):
u = LDAPUrl("ldap:///??sub")
self.assertEquals(u.scope, ldap.SCOPE_SUBTREE)
u = LDAPUrl("ldap:///??sub?")
self.assertEquals(u.scope, ldap.SCOPE_SUBTREE)
u = LDAPUrl("ldap:///??base")
self.assertEquals(u.scope, ldap.SCOPE_BASE)
u = LDAPUrl("ldap:///??base?")
self.assertEquals(u.scope, ldap.SCOPE_BASE)
u = LDAPUrl("ldap:///??one")
self.assertEquals(u.scope, ldap.SCOPE_ONELEVEL)
u = LDAPUrl("ldap:///??one?")
self.assertEquals(u.scope, ldap.SCOPE_ONELEVEL)
def getnewcfgdsinfo(new_instance_arguments):
"""Use the new style prefix /etc/dirsrv/admin-serv/adm.conf.
new_instance_arguments = {'admconf': obj } where obj.ldapurl != None
"""
try:
url = LDAPUrl(new_instance_arguments['admconf'].ldapurl)
except AttributeError:
log.error("missing ldapurl attribute in new_instance_arguments: %r" %
new_instance_arguments)
raise
ary = url.hostport.split(":")
if len(ary) < 2:
ary.append(389)
else:
ary[1] = int(ary[1])
ary.append(url.dn)
return ary
def _handle_referral(self, exception):
# type: (ldap.REFERRAL) -> ldap.ldapobject.ReconnectLDAPObject
"""
Follow LDAP rederral.
:param exception ldap.REFERRAL: The LDAP referral exception.
:returns: LDAP connection object for the referred LDAP server.
:rtype: ldap.ldapobject.ReconnectLDAPObject
"""
univention.debug.debug(univention.debug.LDAP, univention.debug.INFO,
'Following LDAP referral')
exc = exception.args[0]
info = exc.get('info')
ldap_url = info[info.find('ldap'):]
if isLDAPUrl(ldap_url):
conn_str = LDAPUrl(ldap_url).initializeUrl()
# FIXME?: this upgrades a access(reconnect=False) connection to a reconnect=True connection
lo_ref = ldap.ldapobject.ReconnectLDAPObject(
conn_str, trace_stack_limit=None)
if self.ca_certfile:
lo_ref.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_certfile)
if self.start_tls == 1:
try:
lo_ref.start_tls_s()
except:
univention.debug.debug(univention.debug.LDAP,
univention.debug.WARN,
'Could not start TLS')
elif self.start_tls == 2:
lo_ref.start_tls_s()
lo_ref.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
return lo_ref
else:
raise ldap.CONNECT_ERROR('Bad referral "%s"' % (exc, ))
class LdapConnection(object):
"""Represents a connection to an LDAP server.
- Offers a set of convenience functions for querying and updating the server.
- Requires a Configuration object that can be queried for providing details about the connection (server, port, ...)
Implemented low-level funcitonality:
- connect
- search (synchronously, asynchronously)
- modify
- add
"""
def __init__(self, configuration):
"""Initialisation. Not done lazily.
@type configuration: vsc.ldap.utils.Configuration subclass instance, implementing the actual functions to request
information.
"""
self.log = fancylogger.getLogger(name=self.__class__.__name__)
self.configuration = configuration
self.ldap_connection = None
def connect(self):
"""Connect to the LDAP server provided by the configuration.
@raise ldap.LDAPError if the connection cannot be established
"""
if self.configuration.check_server_certificate:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.configuration.validation_method)
ldap_url = self.configuration.url
try:
self.ldap_connection = ldap.initialize(ldap_url)
except ldap.LDAPError, _:
self.log.raiseException("Failed to connect to the LDAP server at %s" % (ldap_url))
## generate ldapurl obj after succesfull connect
self.ldap_url = LDAPUrl(ldapUrl=ldap_url)
def handle_referral(self, exception):
""" Handle a referral specified in a exception """
payload = exception.args[0]
info = payload.get('info')
ldap_url = info[info.find('ldap'):]
if isLDAPUrl(ldap_url):
conn_str = LDAPUrl(ldap_url).initializeUrl()
if self.binduid_usage == 1:
user_dn = self.bind_dn
user_pwd = self.bind_pwd
else:
user = getSecurityManager().getUser()
try:
user_dn = user.getUserDN()
user_pwd = user._getPassword()
except AttributeError: # User object is not a LDAPUser
user_dn = user_pwd = ''
return self._connect(conn_str, user_dn, user_pwd)
else:
raise ldap.CONNECT_ERROR, 'Bad referral "%s"' % str(exception)
def test_parse_default_hostport(self):
u = LDAPUrl("ldap://")
self.assertEquals(u.urlscheme, "ldap")
self.assertEquals(u.hostport, "")
def test_parse_default_extensions(self):
u = LDAPUrl("ldap://")
self.assertEquals(len(u.extensions), 0)
def test_parse_default_scope(self):
u = LDAPUrl("ldap://")
self.assertNone(u.scope) # RFC4516 s3
def test_parse_default_filter(self):
u = LDAPUrl("ldap://")
self.assertNone(u.filterstr) # RFC4516 s3
def test_parse_default_attrs(self):
u = LDAPUrl("ldap://")
self.assertNone(u.attrs)
#!/usr/bin/python
import sys,os,time,ldap
from ldap.ldapobject import LDAPObject
from ldapurl import LDAPUrl
try:
ldap_url = LDAPUrl(sys.argv[1])
num_tests = int(sys.argv[2])
except IndexError:
print 'Usage: pref_test.py <LDAP URL> <number of tests>'
sys.exit(1)
iter = num_tests
start_time = time.time()
l = LDAPObject(ldap_url.initializeUrl(),trace_level=0)
l.protocol_version = 3
l.simple_bind_s(ldap_url.who or '',ldap_url.cred or '')
while iter:
l.search_s(
ldap_url.dn,
ldap_url.scope or ldap.SCOPE_BASE,
ldap_url.filterstr or '(objectClass=*)',
ldap_url.attrs or ['*']
)
iter -= 1
def test_parse_extensions_nulls(self):
u = LDAPUrl("ldap:///????bindname=%00name")
self.assertEquals(u.who, "\0name")
def test_parse_extensions_5questions(self):
u = LDAPUrl("ldap:///????bindname=?")
self.assertEquals(len(u.extensions), 1)
self.assertEquals(u.who, "?")
def test_parse_extensions_novalue(self):
u = LDAPUrl("ldap:///????bindname")
self.assertEquals(len(u.extensions), 1)
self.assertNone(u.who)
def connect(self, bind_dn='', bind_pwd=''):
""" initialize an ldap server connection """
conn = None
if bind_dn != '':
user_dn = bind_dn
user_pwd = bind_pwd or '~'
elif self.binduid_usage == 1:
user_dn = self.bind_dn
user_pwd = self.bind_pwd
else:
user = getSecurityManager().getUser()
try:
user_dn = user.getUserDN()
user_pwd = user._getPassword()
except AttributeError: # User object is not a LDAPUser
user_dn = user_pwd = ''
conn = getResource('%s-connection' % self._hash, str, ())
if conn._type() is not StringType:
try:
conn.simple_bind_s(user_dn, user_pwd)
conn.search_s(self.u_base, self.BASE, '(objectClass=*)')
return conn
except ( AttributeError
, ldap.SERVER_DOWN
, ldap.NO_SUCH_OBJECT
, ldap.TIMEOUT
, ldap.INVALID_CREDENTIALS
):
pass
e = None
for server in self._servers:
getter = server.get
protocol = getter('protocol')
if protocol == 'ldapi':
hostport = getter('host')
else:
hostport = '%s:%s' % (getter('host'), getter('port'))
ldap_url = LDAPUrl(urlscheme=protocol, hostport=hostport)
try:
newconn = self._connect( ldap_url.initializeUrl()
, user_dn
, user_pwd
, conn_timeout=getter('conn_timeout')
, op_timeout=getter('op_timeout')
)
return newconn
except ( ldap.SERVER_DOWN
, ldap.TIMEOUT
, ldap.INVALID_CREDENTIALS
), e:
continue